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Salesforce UK Processor BCR 


1. Introduction 
Salesforce, Inc. and its affiliates are committed to achieving and maintaining customer trust. Integral to 
this mission is providing a robust security and privacy program that carefully considers data protection 


matters. 


In accordance with UK Data Protection Laws and Regulations, the Salesforce UK Processor BCR is 


intended to provide an adequate level of protection for Personal Data during international transfers within 


the Salesforce Group made on behalf of Customers and under their instructions (all capitalised terms as 
defined below).' 


In case of a conflict between any information expressly set out in the Salesforce UK Processor BCR 
(and/or the terms of the Intra-Group Agreement relating to the Salesforce UK Processor BCR) and any 


other information referenced or otherwise incorporated into the Salesforce UK Processor BCR (and/or the 


Intra-Group Agreement) by reference, the former shall prevail. 


2. Definitions 


e Controller means the entity which determines the purposes and the means of the processing of 
Personal Data. 


e Customer(s) means the ultimate Controller for which Salesforce is processing Personal Data under a 


contract to provide the Services. 


e Data Subject means the identified or identifiable person to whom Personal Data relates. 


e Personal Data means any information relating to an identified or identifiable natural person. 


e Processing means any operation or set of operations which is performed on Personal Data or on sets 


of Personal Data, whether or not by automated means, such as collection, recording, organisation, 
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, 
dissemination or otherwise making available, alignment or combination, restriction, erasure or 
destruction. 


e Processor means the entity which processes Personal Data on behalf of the Controller. 


e Salesforce Group means Salesforce, Inc. and each affiliate which is a signatory to the Intra-Group 


Agreement relating to the Salesforce UK Processor BCR, as listed in the document titled “Salesforce 


Group Affiliates for UK Binding Corporate Rules for Processors”, available here. 


' For clarity, the party that Salesforce contracts with (its customer) may be a Controller or a Processor of Personal 
Data. Where a Salesforce customer is a Processor of Personal Data, the Salesforce Group shall process Personal 
Data as Sub-processors on behalf of the ultimate Controller. Instructions from the Controller regarding the 
processing of Personal Data shall be given through the Salesforce customer acting as Processor. Salesforce”s 


customer shall be responsible for ensuring that Processing instructions as set out in its contract with the Salesforce 
Group have been authorized by the ultimate Controller. The Salesforce customer shall also be solely responsible for 


forwarding any notifications received from Salesforce Group under the contract and the Salesforce UK Processor 
BCR to the ultimate Controller where appropriate. 
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e Salesforce UK Processor BCR means Salesforce’s UK Processor Binding Corporate Rules for the 
Processing of Personal Data, the most current version of which is available on Salesforce Group’s 
website, currently located here. 


e Services means the online services provided to Customer by the Salesforce Group, as listed in 
Appendix A. 


e Sub-processor means any Processor engaged by a member of the Salesforce Group. 
e Supervisory Authority means the UK Information Commissioner. 
e UK means the United Kingdom. 


e UK Data Protection Laws and Regulations means the United Kingdom’s Data Protection Act 2018, 
the UK GDPR and regulations made thereunder as amended from time to time. 


e UK GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 
April 2016 on the protection of natural persons with regard to the processing of personal data and on 
the free movement of such data (United Kingdom General Data Protection Regulation), as it forms 
part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the 
European Union (Withdrawal) Act 2018, as modified by Schedule 1 to the Data Protection, Privacy 
and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and 2020 and its 
successor laws. 


3. Scope and Application 


The purpose of the Salesforce UK Processor BCR is to provide a binding governance framework for 
international transfers from the UK of Personal Data to and between members of the Salesforce Group 
when members of the Salesforce Group act as Processors and/or Sub-processors on behalf and under the 
documented instructions of Customers. 


The Salesforce UK Processor BCR applies to Personal Data submitted to the Services by: 
e Customers established in the United Kingdom whose processing activities for the relevant data 
are governed by UK Data Protection Laws and Regulations; or 
e Customers established outside the UK for which the customer has contractually specified that the 
UK Data Protection Laws and Regulations shall apply because the Customer is subject to UK 
Data Protection Laws and Regulations by virtue of Article 3(2) UK GDPR and Customer has 
instructed that the Salesforce UK Processor BCR shall apply. 


For the avoidance of doubt, this means that Customers determine whether the Salesforce UK Processor 
BCR applies to all Personal Data that are submitted to the Services that are subject to UK Data Protection 
Laws and Regulations; or all processing of Personal Data submitted to the Services and processed by the 
Salesforce Group irrespective of the origin of the data. 


The UK Information Commissioner shall at all times be the competent supervisory authority for the 
oversight of (i) the functioning of the Salesforce UK Processor BCR, and (11) its compliance by the 
relevant members of the Salesforce Group. 
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The Salesforce Group may update the Salesforce UK Processor BCR with approval from the Salesforce 
Group’s Data Protection Officer, general counsel and compliance officer. The Salesforce Group’s Data 
Protection Officer will maintain a change log which sets out the date of revisions to the Salesforce UK 
Processor BCR and the details of any changes made and will provide the necessary information (as 
further specified below) systematically to the Customer and upon request, to the UK Information 
Commissioner. All changes to the Salesforce UK Processor BCR shall be communicated to members of 
the Salesforce Group and the UK Information Commissioner without undue delay as further specified 
below. 


The Salesforce Group’s Data Protection Officer shall be responsible for: (i) keeping a fully updated list of 
the members of the Salesforce Group and third-party Sub-processors which shall be made available to the 
UK Information Commissioner, Customer and Data Subjects upon request from each member of the 
Salesforce Group; and (ii) making appropriate notifications to Customers and the UK Information 
Commissioner. The Salesforce Group shall not transfer Personal Data to a new member of the Salesforce 
Group until such member is appropriately bound by and complies with the Salesforce UK Processor BCR. 


The Salesforce Group shall make the most current version of the Salesforce UK Processor BCR, 
including the members of the Salesforce Group, available here. 


Administrative changes to the Salesforce UK Processor BCR and/or the list of members of the Salesforce 
Group will be reported to members of the Salesforce Group on a regular basis and annually to the UK 
Information Commissioner accompanied by a brief explanation of the changes. 


More significant changes to the Salesforce UK Processor BCR such as those that potentially affect data 
protection compliance, are potentially detrimental to the Data Subject rights, potentially affect the level of 
protection offered by the Salesforce UK Processor BCR or affect the binding nature of the Salesforce UK 
Processor BCR will be reported to the UK Information Commissioner without undue delay accompanied 
by a brief explanation of the changes, all members of the Salesforce Group, and where relevant, 
Customer. 


When the changes to the Salesforce UK Processor BCR affect the processing conditions, the Salesforce 
Group shall inform the Customer in such a timely fashion that Customer has the possibility to object to 
the change or to terminate the contract before the modification is made. 


The categories of Personal Data, the types of processing and its purposes, the types of Data Subjects 
affected and the identification of the recipients in the third countries are set out in Section 5 below. 


If the Customer chooses to apply the Salesforce UK Processor BCR, it shall be their responsibility to 
ensure it is applied to: 
- All Personal Data processed for Processor activities and that are submitted to UK law; or 
- All processing of Personal Data for Processor activities within the Salesforce Group whatever 
the origin of the data. 


4. Responsibilities Towards Customers 


A. General Obligations 


The Salesforce Group and its employees (including permanent employees, temporary workers, interns and 
contingent workers (including agency workers or individuals who provide a service through a personal 
service company) involved in processing Personal Data; referred to collectively throughout the Salesforce 
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UK Processor BCR as "personnel") shall comply with the Salesforce UK Processor BCR, process 
Personal Data only upon a Customer’s documented instruction and shall have a duty to respect 
Customer’s instructions regarding the data processing and the security and confidentiality of Personal 
Data, pursuant to the measures provided in the contracts executed with Customers. 


All personnel are contractually required to adhere to the Salesforce UK Processor BCR and they may be 
subject to disciplinary procedures in the event that they are in breach of the Salesforce UK Processor 
BCR. 


The Salesforce Group shall immediately inform the Customer if in its opinion an instruction infringes UK 
Data Protection Laws and Regulations. 


B. Transparency, Fairness, Lawfulness and Cooperation with Customers 


The Salesforce Group undertakes to be transparent regarding its Personal Data processing activities and to 
provide Customers with reasonable cooperation and assistance within a reasonable period of time to help 
facilitate their respective data protection obligations regarding Personal Data, to the extent Customer, in 
its use of the Services, does not have the reasonable ability to address such obligations. 


The Salesforce Group shall also assist the Customer in implementing appropriate technical and 
organisational measures to comply with data protection principles and facilitate compliance with the 
requirements set up by the Salesforce UK Processor BCR in practice such as data protection by design 
and by default (as per Articles 25 and 47.2(d) UK GDPR). 


The Salesforce Group shall extend these obligations to Sub-processors for the benefit of Customers. 


C. Data Subject Rights 


Members of the Salesforce Group act as Processors on behalf of Customers. As between the Salesforce 
Group and Customers, Customers have the primary responsibility for interacting with Data Subjects, and 
the role of the Salesforce Group is generally limited to assisting Customers as needed. 


i. Data Subject Requests 


The Salesforce Group shall promptly notify Customer if the Salesforce Group receives a request from a 
Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of processing, 
erasure (“right to be forgotten”), data portability, object to the processing, or its right not to be subject to 
an automated individual decision making, including profiling (“Data Subject Request”). In particular, the 
Salesforce Group shall not respond to such a Data Subject Request itself, except where Customer 
authorises the Salesforce Group to respond to the Data Subject to enable the Data Subject Request to be 
redirected to the Customer to respond directly. 


Taking into account the nature of the processing, the Salesforce Group shall assist Customer by 
appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of 
Customer’s obligation to respond to a Data Subject Request under UK Data Protection Laws and 
Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to 
address a Data Subject Request, the Salesforce Group shall upon Customer’s request provide 
commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the 
extent the response to such Data Subject Request is required under UK Data Protection Laws and 
Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from the 
Salesforce Group’s provision of such assistance. 
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ii. Handling of Complaints 


The Salesforce Group’s Privacy department shall be responsible for handling complaints related to 
compliance with the Salesforce UK Processor BCR. 


Data Subjects may lodge a complaint about processing of their respective Personal Data that is 
incompatible with the Salesforce UK Processor BCR by contacting the relevant Customer or the 
Salesforce Group’s Privacy department in writing at the email address privacy@salesforce.com. The 
Salesforce Group shall without undue delay communicate the complaint to the Customer to whom the 
Personal Data relates without obligation to handle it (except if it has been agreed otherwise with 
Customer). 


The Salesforce Group's process for liaising with Customer for the resolution of complaints is set out in its 
contract with the Customer (‘Rights of Data Subjects'). In particular, the Salesforce Group shall not 
respond to such a complaint itself, except where Customer authorises the Salesforce Group to redirect the 
complaint as necessary to Customer to allow Customer to respond directly. 


Taking into account the nature of the Processing, the Salesforce Group shall assist Customer by 
appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of 
Customer’s obligation to respond to a complaint under UK Data Protection Laws and Regulations. In 
addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data 
Subject complaint, the Salesforce Group shall upon Customer’s request provide commercially reasonable 
efforts to assist Customer in responding to such Data Subject complaint, to the extent the Salesforce 
Group is legally permitted to do so and the response to such Data Subject complaint is required under UK 
Data Protection Laws and Regulations. 


Customers shall be responsible for responding to all Data Subject complaints forwarded by the Salesforce 
Group except in cases where a Customer has disappeared factually or has ceased to exist in law or 
become insolvent. Where the Salesforce Group is aware of such a case, it will aim to provide an initial 
acknowledgment of the Data Subject of the complaint received and undertakes to respond directly to Data 
Subjects’ complaints within one (1) month, including the consequences of the complaint and further 
actions Data Subjects may take if they are unsatisfied by the reply (such as lodging a complaint before the 
UK Information Commissioner or bring a claim before a UK court). Taking into account the complexity 
and number of requests, this period of one (1) month can be extended by two (2) further months in which 
case the Salesforce Group will inform the Data Subjects accordingly. 


If a complaint is upheld by the Salesforce Group, the Salesforce Group’s Privacy department will inform 
the Data Subject of that fact, and will implement a remediation plan to ensure that the behaviour which 
gave rise to the complaint ceases. If the complaint is rejected, reasons for the rejection will be provided to 
the Data Subject, in addition to details of their rights as set out under Section 7.C (Modalities), below. 


Data Subjects may bring a claim before a UK court or complain to the UK Information Commissioner 
without first exhausting the Salesforce Group’s complaints process. 


D. Regulatory Inquiries and Complaints 


The Salesforce Group shall, to the extent legally permitted, promptly notify a Customer if the Salesforce 

Group receives an inquiry or complaint from the UK Information Commissioner in which that Customer 

is specifically named. Upon a Customer’s request, the Salesforce Group shall provide the Customer with 

cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation 
to any regulatory inquiry or complaint involving the Salesforce Group’s processing of Personal Data. 
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E. Data Protection Impact Assessments 


Upon Customer’s request, the Salesforce Group shall provide Customer with reasonable cooperation and 
assistance needed to fulfil Customer”s obligation under UK Data Protection Laws and Regulations to 
carry out a data protection impact assessment related to Customer’s use of the Services, to the extent 
Customer does not otherwise have access to the relevant information, and to the extent such information 
is available to the Salesforce Group. The Salesforce Group shall provide reasonable assistance to 
Customer in the cooperation or prior consultation with the UK Information Commissioner in the 
performance of its tasks relating to this Section 4 E. of the Salesforce UK Processor BCR to the extent 
required under UK Data Protection Laws and Regulations. 


F. Records of Processing Activities 


As required by UK Data Protection Laws and Regulations, the Salesforce Group shall maintain a written 
record of all categories of processing activities carried out on behalf of each Customer in line with the 
requirements as set out in Article 30,2 UK GDPR and shall make that record available to the UK 
Information Commissioner upon request. The data processing records maintained by the Salesforce 
Group shall contain: 


. the name and contact details of the member of the Salesforce Group; 

. the name and contact details of each Customer on behalf of which it is acting (and, where 
applicable, the Customer's representative and the data protection officer); 

. the categories of processing carried out on behalf of each Customer; 

. details of the third country or countries to which Personal Data is transferred; and 

. where possible, a general description of the technical and organisational security measures 


used to protect Personal Data. 


5. Description of Processing Operations and Transfers 


A. Purpose Limitation 


The Salesforce Group shall only process Personal Data on behalf of and in accordance with Customer’s 
documented instructions for the following purposes: (i) processing in accordance with a Customer’s 
instructions set forth in the Customer’s contract with a member of the Salesforce Group including with 
regard to transfers of personal data to a third country (unless the Salesforce Group is legally required to 
do so by UK Data Protection Laws and Regulations, in which case prior information will be provided by 
the Salesforce Group to Customer unless such information is legally prohibited) in accordance with 
Article 28.3(a) UK GDPR; and (ii) processing initiated by the Customer in its use of the Services. If the 
Salesforce Group cannot comply with such purpose limitation, a member of the Salesforce Group shall 
promptly notify the relevant Customer, and such Customer shall be entitled to suspend the transfer of 
Personal Data and/or terminate the applicable order form(s) in respect to only those Services which 
cannot be provided by the Salesforce Group in accordance with such Customer’s instructions. On the 
termination of the provision of such Services, the Salesforce Group and third-party Sub-processors shall, 
at the choice of the Customer, return the Personal Data to the Customer and/or delete the Personal Data as 
set forth in the applicable customer contract and upon request from Customer, the Salesforce Group shall 
certify that it has done so. The only exception to this is if the law applicable to the Salesforce Group and 
its third-party Sub-processors requires the Salesforce Group and its third-party Sub-processors to retain 
the data that has been transferred in which case the Salesforce Group will inform the Customer and 
warrant that it will guarantee the confidentiality of the Personal Data transferred and will not actively 
process the Personal Data transferred anymore. 
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B. Nature of Personal Data Processed 


The Salesforce UK Processor BCR will apply to Personal Data submitted by Customers to the Services. 
The Salesforce Group’s Customers determine what Personal Data, if any, is submitted to the Services 
under the conditions set out in the contract. The types of Processing subject to the Salesforce UK 
Processor BCR will be as agreed and in accordance with instructions from Customers. 


The following types of Personal Data are expected to be submitted to the Services by Customers. 


First and last name 

Title 

Position (e.g. job title, job code, etc.) 

Employer (e.g. current employer, former employer, etc.) 

Contact information (company, email, phone, physical business address) 

ID data (e.g. copies of passport or other ID document, etc.) 

Professional life data (e.g. education, professional experience, salary information, etc.) 
Personal life data (e.g. marital status, dependants, etc.) 

Location data 


These types of Personal Data are expected to relate to the following categories of Data Subjects as 
determined by Customers: 


e Prospects, customers, business partners and vendors of Customer (who are natural 
persons) 

e Current and former employees or contact persons of Customer’s prospects, customers, 
business partners and vendors 

e Current and former employees, agents, advisors, freelancers of Customer (who are 
natural persons) 

e Customer’s users authorized by Customer to use the Services (i.e. the end user of the 
Services). 


Customers are allowed to submit special categories of Personal Data to some Services under the 
conditions set out in the contract. In particular, Customers may submit special categories of data to the 
Services, the extent of which is determined and controlled by the Customer in its sole discretion, and 
which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political 
opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic 
data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or 
data concerning a natural person’s sex life or sexual orientation. 


C. Affected Data Subjects 


The Salesforce Group does not choose or determine the categories of Data Subjects that relate to the 
Personal Data submitted to the Services. The Salesforce Group’s Customers solely determine the Data 
Subjects whose Personal Data is submitted to the Services. 


D. Countries of location of the Salesforce Group Affiliate Sub-processors 


The countries where the Salesforce affiliate Sub-processors of Personal Data are located are listed in the 
Infrastructure and Sub-processor documentation for each Service covered by the Salesforce UK Processor 
BCR, available here. 
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E. Data Quality 


Customers have access to, and control of, Personal Data in their use of the Services. To the extent a 
Customer, in its use of the Services, does not have the ability to anonymize, correct, amend, update or 
delete Personal Data, as required by UK Data Protection Laws and Regulations, the Salesforce Group 
and/or its Sub-processors shall comply with any request by a Customer in a reasonable period of time and 
to the extent reasonably possible to facilitate such actions by executing any measures necessary to comply 
with UK Data Protection Laws and Regulations, in a reasonable period of time and to the extent 
reasonably possible to the extent the Salesforce Group and/or its Sub-processor is legally permitted to do 
so. The Salesforce Group and/or its Sub-processor will, to the extent reasonably required for this purpose, 
inform each member of the Salesforce Group to whom the Personal Data may be stored of any 
anonymization, rectification, amendment, update or deletion of such data. Ifany such anonymization, 
correction, amendment, update or deletion request is applicable to a third-party Sub-processor’s 
processing of Personal Data, the Salesforce Group and/or its Sub-processors shall communicate such 
request to the applicable third-party Sub-processor(s). 


F. Sub-processing 


i. Sub-processing Within the Salesforce Group 


As set forth in applicable contracts with Customers, members of the Salesforce Group may act as or be 
retained as Sub-processors of Personal Data, and depending on the location of the Salesforce Group 
member, processing of Personal Data by such Sub-processors may involve transfers of Personal Data. 
The Salesforce UK Processor BCR extends to all members of the Salesforce Group. The Salesforce UK 
Processor BCR is incorporated by reference into the Salesforce Group’s Code of Conduct which is 
available here. 


ii. Sub-processing by Third Parties 


As set forth in applicable contracts with Customers, members of the Salesforce Group may retain 
third-party Sub-processors, and depending on the location of the third-party Sub-processor, processing of 
Personal Data by such Sub-processors may involve transfers of Personal Data. Such third-party 
Sub-processors shall process Personal Data only: (i) in accordance with the Customer’s instructions set 
forth in the Customer’s contract with a member of the Salesforce Group; or (ii) if processing is initiated 
by the Customer in its use of the Services. The current list of third-party Sub-processors engaged in 
processing Personal Data, including a description of their processing activities, is available in the 
Infrastructure and Sub-processor documentation for each Service covered by the Salesforce UK Processor 
BCR, available here. Such third-party Sub-processors have entered into written agreements with a 
member of the Salesforce Group in accordance with the applicable requirements of Articles 28, 29, 32, 
45, 46 and 47 of the UK GDPR, as well as the relevant sections of the Salesforce UK Processor BCR as 
applicable to the third-party Sub-processor’s processing activities. 


iii. Notification of New Sub-processors and Objection Rights 


As set forth in applicable contracts with Customers, the Salesforce Group shall provide Customers with 
prior notification before a new Sub-processor begins processing Personal Data. Within thirty (30) days of 
receiving such notice, a Customer may object to Salesforce Group’s use of a new Sub-processor by 
notifying the Salesforce Group in accordance with the provisions set forth in the Customer’s contract. In 
the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, the Salesforce 
Group will use reasonable efforts to make available to Customer a change in the Services or recommend a 
commercially reasonable change to Customer’s configuration or use of the Services to avoid processing 
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of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If 
the Salesforce Group is unable to make available such change within a reasonable period of time, which 
shall not exceed sixty (60) days, Customer may terminate the applicable order form(s) with respect only 
to those Services which cannot be provided by the Salesforce Group without the use of the objected-to 
new Sub-processor by providing written notice to the Salesforce Group. The Salesforce Group will refund 
Customer any prepaid fees covering the remainder of the term of such order form(s) following the 
effective date of termination with respect to such terminated Services, without imposing a penalty for 
such termination on Customer. 


6. Confidentiality and Security Measures 


A. Confidentiality and Training 


The Salesforce Group shall ensure that its personnel engaged in the processing of Personal Data are 
informed of the confidential nature of the Personal Data, have executed written confidentiality agreements 
and have received appropriate training on their responsibilities. Additionally, the Salesforce Group shall 
ensure that its personnel responsible for the development of the tools used to process Personal Data have 
received appropriate training on their responsibilities. Such training shall include training on the 
Salesforce UK Processor BCR. The Salesforce Group shall also ensure that its personnel engaged in the 
processing of Personal Data are limited to those personnel who require such access to perform the 
Salesforce Group’s obligations under applicable contracts with Customers. 


B. Data Security 


The Salesforce Group and its Sub-processors shall maintain appropriate administrative, technical and 
physical measures for protection of the security (including protection against unauthorized or unlawful 
processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized 
disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in 
applicable contracts with Customers. The Salesforce Group and its Sub-processors shall implement 
technical and organizational measures which at least meet the requirements of UK Data Protection Laws 
and Regulations, and any existing particular measure specified in the contract with the Customer. The 
Salesforce Group and its Sub-processors regularly monitor compliance with these measures. The 
Salesforce Group and its Sub-processors will not materially decrease the overall security of the Services 
during a Customer’s applicable subscription term. 


C. Personal Data Incident Management and Notification 


In the event a member of the Salesforce Group becomes aware of the accidental or unlawful destruction, 
loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise 
processed by the Salesforce Group or its Sub-processors (a “Personal Data Incident”) the Salesforce 
Group will without undue delay after becoming aware notify affected Customers. The Salesforce Group 
shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as 
the Salesforce Group deems necessary and reasonable in order to remediate the cause of such a Personal 
Data Incident to the extent the remediation is within the Salesforce Group’s reasonable control. The 
obligations herein shall not apply to incidents that are caused by Customer or Customer’s users. 


D. Audits 


The Salesforce Group shall maintain an audit program to help ensure compliance with the Salesforce UK 
Processor BCR, including the following third-party audits and certifications, internal audits focused on 
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the Salesforce UK Processor BCR and audits by Customers (referred to collectively in the Salesforce UK 
Processor BCR as the "audit program"). The audit program covers all aspects of the Salesforce UK 
Processor BCR, including methods for ensuring non-compliance is addressed. 


i. Third-Party Audits and Certifications 


The Security, Privacy and Architecture Documentation, available here describes the third-party audits and 
certifications applicable to each Service. The third-party audits and certifications are programs that are 
overseen by a party external to the Salesforce Group. The scope of these third-party audits and 
certifications is set forth in the corresponding audit reports and certificates which the Salesforce Group 
shall make available to its Customers upon request. Where the Salesforce Group has obtained the 
following third-party audits and certifications, the Salesforce Group agrees to maintain these, or their 
successors. These audits assist the Salesforce Group in demonstrating that it is meeting its security 
obligations as set out in Section 6.B of the Salesforce UK Processor BCR and Article 32 of the UK 
GDPR. 


e ISO 27001 certification: The Salesforce Group is subject to an information security 
management system (ISMS) in accordance with the ISO 27001 international standard. Members 
of the Salesforce Group have achieved ISO 27001 certification for their ISMS from an 
independent third party. 


e SSAE 18 Service Organization Control (SOC) reports: The Salesforce Group’s information 
security control environment applicable to the Services undergoes an independent evaluation in 
the form of SSAE 18 Service Organization Control (SOC) reports, which are available to 
Customers upon request. 


ii. Network of Privacy Personnel 


The Salesforce Group has appointed a network of privacy personnel responsible for overseeing and 
ensuring compliance with the Salesforce Group’s data protection responsibilities at a local and global 
level, including compliance with this Salesforce UK Processor BCR, advising management on data 
protection matters, liaising with data protection authorities, and handling data protection-related 
complaints. Each member of the Salesforce Group shall be assigned such a member of the network of 
privacy personnel. Such privacy personnel are primarily responsible for privacy-related matters and report 
to the Salesforce Group’s Data Protection Officer (who reports to the Salesforce Group’s general counsel) 
and benefit from the support of the Salesforce Group’s senior management. The Salesforce Group’s Data 
Protection Officer is responsible for the Salesforce Group’s compliance with applicable privacy and data 
protection laws and leads the Salesforce Group’s network of privacy personnel. The Salesforce Group’s 
network of privacy personnel have regional responsibility for the Salesforce Group’s compliance with 
applicable privacy and data protection laws. 


iii. Salesforce UK Processor BCR Internal Audit 


The Salesforce Group’s compliance department shall conduct an audit of the Salesforce Group’s 
compliance with the Salesforce UK Processor BCR annually or on the specific request of the Salesforce 
Group’s Data Protection Officer, which is provided to the Salesforce Group’s Data Protection Officer, 
compliance officer and Salesforce, Inc.’s board of directors. Such an assessment shall include any 
necessary corrective actions, timeframes for completing such corrective actions, and follow up by 
Salesforce’s compliance department to ensure such corrective actions have been completed. 
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The UK Information Commissioner may upon request have access to the reports of the audit program and 
may carry out a data protection audit of any member of the Salesforce Group. 


iv. Customer Audits 


Upon a Customer’s written request, and subject to appropriate confidentiality obligations, the Salesforce 
Group shall make available to the Customer (or such Customer’s independent, third-party auditor that is 
not a competitor of the Salesforce Group) information regarding the Salesforce Group’s and third-party 
Sub-processors’ compliance with the data protection controls set forth in this Salesforce UK Processor 
BCR. 


With respect to the Salesforce Group’s compliance with the data protection controls set forth in the 
Salesforce UK Processor BCR, the Salesforce Group shall make available third-party certifications and 
audits set forth in the contract to the extent Salesforce makes them generally available to its customers. 


With respect to third-party Sub-processors’ compliance with the data protection controls set forth in the 
Salesforce UK Processor BCR, the Salesforce Group shall provide the requesting Customer a report of the 
Salesforce Group’s audits of third-party Sub-processors and/or a report of third party auditors’ audits of 
third-party Sub-processors that will have been provided by those third-party Sub-processors to the 
Salesforce Group. 


Customer acknowledges and agrees to exercise its audit right by hereby instructing the Salesforce Group 
and the Salesforce Group’s third party Sub-processors to carry out the audit as described in this Section 
6.D (iv). 


Customer has the right to change at any moment its instruction regarding the exercise of its audit right by 
sending the relevant member of the Salesforce Group a notice in writing. 


If Customer changes its instruction and thereby requests to exercise its audit right directly, Customer shall 
reimburse the Salesforce Group for any time expended by the Salesforce Group or its third-party 
Sub-processors for any on-site audit carried out by the Customer at the Salesforce Group’s then-current 
professional service rates, which shall be made available to Customer upon Customer’s request. Before 
any such on-site audit commences, the requesting Customer and the Salesforce Group or its third party 
Sub-processors as appropriate shall mutually agree upon the scope, timing, and duration of the audit in 
addition to the reimbursement rate for which the Customer shall be responsible. All reimbursement rates 
shall be reasonable, taking into account the resources expended by the Salesforce Group or its third-party 
Sub-processors. 


As set forth in applicable contracts with Customers, a Customer who performs an audit in accordance 
with this Section must promptly provide the Salesforce Group with information regarding any 


non-compliance discovered during the course of an audit. 


Nothing in this Section affects the UK Information Commissioner’s or Data Subject’s rights under the 
Salesforce UK Processor BCR. 


7. Third-Party Beneficiary Rights 


The Salesforce UK Processor BCR grants rights to Data Subjects in certain circumstances to directly 
enforce the Salesforce UK Processor BCR as third-party beneficiaries against the Salesforce Group. This 


Salesforce UK Processor BCR 


includes where a Salesforce Group member outside the UK or an external Sub-processor breaches any of 
the enforceable elements of the Salesforce UK Processor BCR, as further described below. The Data 
Subjects that are granted third-party beneficiary rights are those Data Subjects whose Personal Data has 
been submitted to the Services by Customers for processing by the Salesforce Group on their behalf. 


A. Rights directly enforceable against the Salesforce Group 


Data Subjects may directly enforce the following elements of the Salesforce UK Processor BCR against 
the Salesforce Group as third party beneficiaries: 


a. Duty to respect the instructions from the Customer regarding the Data Processing 
including for data transfers to third countries located outside the United Kingdom 
(Section 4); 

b. Duty to implement appropriate technical and organizational security measures and duty to 
notify any security breach to the Customer (Section 6); 

c. Duty to respect the conditions when engaging a Sub-processor either within or outside the 
Salesforce Group (Section 5); 

d. Duty to cooperate with and assist the Customer in complying and demonstrating 

compliance with UK Data Protection Laws and Regulations such as for answering 

requests from Data Subjects in relation to their rights under UK Data Protection Laws 

and Regulations (Section 4); 

Provide an easy access to the Salesforce UK Processor BCR (Section 3); 

Right to complain through internal complaint mechanisms (Section 4); 

Duty to cooperate with the UK Information Commissioner (Section 9); 

Liability, compensation and jurisdiction provisions (Section 8); and 

National legislation preventing respect of the Salesforce UK Processor BCR (Section 10). 
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B. Rights enforceable against the Salesforce Group where the Data Subject is not able to bring a 
claim against the Customer 


Data Subjects may directly enforce against the Salesforce Group the following elements of the Salesforce 
UK Processor BCR as third-party beneficiaries in those limited situations where a Data Subject is unable 
to bring a claim against the relevant Customer because such Customer has factually disappeared or ceased 
to exist in law or become insolvent unless a successor entity has been appointed to assume the legal 
obligations of the Customer by contract or by operation of law: 


- Duty to respect the Salesforce UK Processor BCR (Section 4); 

- Creation of third party beneficiary rights for Data Subjects (Section 7); 

- Liability of Salesforce UK Limited for paying compensation and to remedy breaches to the 
Salesforce UK Processor BCR (Section 8); 

- Burden of proof on Salesforce UK Limited to demonstrate that the member of the Salesforce 
Group outside of the UK or the external Sub-processor is not liable for any violation of the rules 
which has resulted in the Data Subject claiming damages (Section 8); 

- Easy access for the Data Subjects to access the Salesforce UK Processor BCR and in particular 
information about their third party beneficiary rights and on the means to exercise those rights 
(Section 3 and Section 7); 

- Existence of a complaint handling process for the Salesforce UK Processor BCR (Section 4); 

- Duty for the Salesforce Group to cooperate with the UK Information Commissioner (Section 9); 
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- Duty for the Salesforce Group to cooperate with the Customer (Section 4); 

- Description of the privacy principles (Sections 4, 5 and 6); 

- List of entities bound by the Salesforce UK Processor BCR (Section 2); and 

- Transparency requirement where national legislation prevents the Salesforce Group from 
complying with the Salesforce UK Processor BCR (Section 10). 


C. Modalities 


The Data Subjects’ rights as mentioned under sections A and B above shall cover the judicial remedies for 
any breach of the third party beneficiary rights guaranteed and the right to obtain redress and where 
appropriate, receive compensation for any material or non-material damage resulting from a violation of 
the Salesforce UK Processor BCR. 


In particular, Data Subjects shall be entitled to lodge a complaint before: 
- the UK Information Commissioner; and 
- the competent UK court. 


Where the Salesforce Group and the Customer involved in the same processing are found responsible for 
any material or non-material damage caused by such processing, the Data Subject shall be entitled to 
receive compensation for the entire damage directly from the Salesforce Group. 


Salesforce will ensure that Data Subjects have easy access to the Salesforce UK Processor BCR by 
making it available to Data Subjects here. 


8. Liability and Enforcement 

Salesforce’s contractual obligations for the processing of Personal Data shall include a reference to the 
Salesforce UK Processor BCR and the Salesforce UK Processor BCR shall form part of those contracts to 
ensure they are binding towards the Customer. These contracts shall comply with Article 28 of the UK 
GDPR. 


In accordance with such contracts, Customers shall have the right to enforce the Salesforce UK Processor 
BCR against any member of the Salesforce Group, for breaches they caused including judicial remedies 
and the right to receive compensation for any material or non-material damages resulting from a violation 
of the Salesforce UK Processor BCR. 


Moreover, Customers shall have the right to enforce the Salesforce UK Processor BCR against Salesforce 
UK Limited in case of: (i) a breach of the Salesforce UK Processor BCR or of the contract by members of 
the Salesforce Group established outside of the UK; or (ii) a breach by external Sub-processors 
established outside the UK of their sub-processing agreement with the Salesforce Group. 


In respect of both Customer and Data Subjects, Salesforce UK Limited accepts responsibility for and 
agrees to take the necessary actions to remedy the acts of other members of the Salesforce Group 
established outside of the UK and third-party Sub-processors for breaches of the Salesforce UK Processor 
BCR or breaches caused by third-party Sub-processors established outside the UK and to pay 
compensation for any material or non-material damages resulting from a violation of the Salesforce UK 
Processor BCR. 


Salesforce UK Limited accepts liability as if the violation had taken place by Salesforce UK Limited in 
the UK instead of the member of the Salesforce Group outside of the UK or the third party Sub-processor 
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established outside the UK and the UK courts or other competent authorities in the UK will have 
jurisdiction. Salesforce UK Limited may not rely on a breach of its obligations by a Sub-processor 
established outside the UK (internal or external to the Salesforce Group) in order to avoid its own 
liabilities. 


Salesforce UK Limited has the burden of proof to demonstrate that the member of the Salesforce Group 
outside of the UK or the third party Sub-processor is not liable for any violation of the rules which has 
resulted in the Data Subject claiming damages or remedy. 


To the extent a Customer can demonstrate that Customer has suffered damages and establishes facts 
showing that it is likely that such damages have occurred because of the Salesforce Group’s breach of the 
Salesforce UK Processor BCR, Salesforce UK Limited shall be responsible for proving that the Salesforce 
Group member outside of the UK — or the third-party Sub-processor — was not responsible for the breach 
of the Salesforce UK Processor BCR giving rise to the damages or that no such breach took place. 


If Salesforce UK Limited can prove that the Salesforce Group member outside of the UK is not 
responsible for the act leading to the damages suffered by Customer or the Data Subject, Salesforce UK 
Limited may discharge itself from any responsibility. 


9. Cooperation with the UK Information Commissioner 


The Salesforce Group shall cooperate with the UK Information Commissioner, consider any 
communication or recommendation from the UK Information Commissioner, reply to any requests and 
abide by any formal decisions or notices issued by the UK Information Commissioner regarding the 
interpretation and application of the Salesforce UK Processor BCR. 


Upon request, the Salesforce Group shall provide the UK Information Commissioner: (i) a copy of the 
Salesforce Group’s annual assessment of compliance with the Salesforce UK Processor BCR and/or the 
reports of the audit program; and (11) the ability to conduct an onsite audit of the Salesforce Group’s 
architecture, systems and procedures relevant to the protection of Personal Data under the Salesforce UK 
Processor BCR. 


10. Local Law Requirements 


Where a member of the Salesforce Group reasonably believes that legislation applicable to the member of 
the Salesforce Group prevents it from fulfilling its obligations under the Salesforce UK Processor BCR, 
the contract with the Customer or the instructions of a Customer, it shall promptly notify the Salesforce 
Group’s Privacy department in addition to affected Customers and the UK Information Commissioner. In 
such a case, the Salesforce Group shall use reasonable efforts to make available to the affected Customers 
a change in the Services or recommend a commercially reasonable change to the Customers’ 
configuration or use of the Services to facilitate compliance with the legislation applicable to the relevant 
member of the Salesforce Group without unreasonably burdening Customers or at the detriment of 
fulfilling Salesforce's obligations under the UK BCRs or its contract with the Customer. If the Salesforce 
Group is unable to make available such change promptly, Customers may terminate the applicable order 
form(s) and suspend the transfer of data in respect to only those Services which cannot be provided by the 
Salesforce Group in accordance with the legislation applicable to the relevant member of the Salesforce 
Group or at the detriment of fulfilling Salesforce's obligations under the Salesforce UK Processor BCR or 
its contract with the Customer by providing written notice to the member of the Salesforce Group with 
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whom the Customer has contracted. Such Customer shall receive a refund of any prepaid fees for the 
period following the effective date of termination for such terminated Services. 


The Salesforce Group may receive requests for disclosure of Personal Data by law enforcement 
authorities or state security bodies. Any legally binding request will be communicated to the Customer 
unless otherwise legally prohibited (such as a prohibition under criminal law to preserve the 
confidentiality of a law enforcement investigation). In any case, the member of the Salesforce Group that 
receives a request will put the request for disclosure on hold and inform the UK Information 
Commissioner clearly about the request, the requesting body and the legal basis for disclosure, unless 
otherwise legally prohibited. 


To the extent the member of the Salesforce Group that receives a request is prohibited by law from 
providing such notification, the Salesforce Group shall: (1) review each request on a case-by-case basis; 
(11) use best efforts to request that the confidentiality requirement be waived to enable the member of the 
Salesforce Group that receives the request to communicate as much information as it can, as soon as 
possible, to the UK Information Commissioner ; and (111) maintain evidence of any such attempt to have a 
confidentiality requirement waived. 


On an annual basis, the Salesforce Group shall provide the UK Information Commissioner with general 
information (e.g. number of applications for disclosure, type of data requested and requester if possible, 
etc.) about the legally binding requests for disclosure of Personal Data the Salesforce Group receives by 
law enforcement authorities or state security bodies. 


Transfers of Personal Data by the Salesforce Group to any public authority cannot be massive, 
disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic 
society. 


11. Data Protection Officer 


The Salesforce Group has appointed a data protection officer in accordance with Article 37 of the UK 
GDPR for the Salesforce Group who can be reached at privacy@salesforce.com. 


12. Salesforce UK Processor BCR and Applicable Law 

Where national law applicable to a member of the Salesforce Group requires a higher level of protection 
for Personal Data than what is set out in the Salesforce UK Processor BCR, then that national law 
applicable to the member of the Salesforce Group will take precedence over the Salesforce UK Processor 
BCR. Where there is no national law applicable to a member of the Salesforce Group or if the standards 
required by national law applicable to a member of the Salesforce Group are lesser than or do not meet 
the standards set out in the Salesforce UK Processor BCR, the Salesforce Group shall process Personal 
Data in accordance with the Salesforce UK Processor BCR. 


In any event the Salesforce Group shall process Personal Data in accordance with the national law 
applicable to the Salesforce Group. 
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Appendix A — Services to which the Salesforce UK Processor BCR applies 


The Salesforce UK Processor BCR applies to the services branded as the following: 


Accounting Subledger 

Admissions Connect 

Advertising Studio (formerly branded as Social.com and Active Audiences) 
Audience Studio and Data Studio (formerly branded as Krux or Salesforce DMP) 
Automotive Cloud 

B2B Commerce and B2B Commerce on Lightning Experience (formerly branded as 


CloudCraze) 


B2C Commerce (formerly branded as Commerce Cloud or Demandware) 

Chatter 

Consumer Goods Cloud 

Customer Data Cloud (aka Salesforce Data Cloud) 

Customer Data Platform (formerly branded as CDP formerly branded as Customer 360 


Audiences) 


Customer 360 Data Manager 

Datorama 

Datorama Reports for Marketing Cloud 

Digital Process Automation 

Einstein Bots 

Einstein Conversation Insights 

Einstein Copy Insights 

Einstein Discovery Classic (formerly branded as Einstein Discovery and BeyondCore) 
Einstein Engagement Scoring 

Einstein Prediction Builder 

Einstein Relationship Insights 

Einstein Vision and Language 

Einstein Vision for Social Studio 

Emergency Program Management 

Employee Productivity 

Enablement 

Enhanced Messaging 

Evergage (services branded or sold as Evergage, Data Science Workbench, and Data 


Warehouse) 


ExactTarget 

Experience Cloud (formerly branded as Community Cloud) 
Financial Services Cloud 

foundationConnect 

Government Cloud Plus 

Grants Management 

Headless Browser Service 

Health Cloud 

Heroku 

High Velocity Sales 
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Intelligent Form Reader (IFR) 

Interaction Studio 

IoT Cloud 

IoT Explorer 

Lightning Platform (including Force.com) 

LiveMessage 

Loyalty Management 

Manufacturing Cloud 

Marketing Cloud Einstein (formerly branded as Predictive Intelligence) 
Marketing Cloud for Nonprofits 

Messaging 

Messaging for In-App and Web 

Microsoft Teams Integration 

MuleSoft 

Net Zero Cloud (formerly branded as Sustainability Cloud) 

Nonprofit Cloud Case Management 

Order Management 

Pardot and Pardot Einstein 

Privacy Center 

Public Sector Solutions 

Safety Cloud 

Sales Cloud and Sales Cloud Einstein 

Sales Enablement (formerly branded as myTrailhead) 

Salesforce Anywhere (formerly branded as Quip) 

Salesforce Commerce for B2C (formerly branded as B2B2C Commerce) 
Salesforce Connect 

Salesforce CPQ and Salesforce Billing (together formerly branded as Salesforce Quote to 


Salesforce Inbox 

Salesforce Maps (Map Anything) 

Salesforce Order Management 

Salesforce Private Connect 

Salesforce Slack Integration Proxy 

Salesforce.org Elevate 

Salesforce.org Insights Platform: Data Integrity 

Service Cloud and Service Cloud Einstein 

Service Cloud Voice 

Shift Management 

Site.com 

Slack 

Social Studio 

Student Success Hub (including the former Salesforce Advisor Link) 
Subscription Management 

Tableau CRM (formerly branded as Einstein Analytics, Analytics Cloud or Wave Analytics) 
Tableau Online 

Vlocity Managed Packages 

WDC 

Workplace Command Center 
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Workforce Engagement Management (WEM) 


